Debian Bug report logs -
#772705
libc6: buffer overflow in tzset
Toggle useless messages
Message #3 received at [email protected] (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Package: libc6
Version: 2.19-13
The attached crafted timezone file makes tzset(3) crash:
$ TZ=$PWD/crashtz date
*** Error in `date': free(): invalid next size (fast): 0x0916b160 ***
Aborted
Valgrind says:
==7754== Invalid write of size 1
==7754== at 0x40F7D7D: __tzfile_read (tzfile.c:379)
==7754== by 0x40F71D1: tzset_internal (tzset.c:447)
==7754== by 0x40F749E: __tz_convert (tzset.c:632)
==7754== by 0x40F5BDC: localtime (localtime.c:42)
==7754== by 0x8049B94: ??? (in /bin/date)
==7754== by 0x8049885: ??? (in /bin/date)
==7754== by 0x4069A62: (below main) (libc-start.c:287)
==7754== Address 0x41fe816 is 6 bytes after a block of size 0 alloc'd
==7754== at 0x40291CC: malloc (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
==7754== by 0x40F79A1: __tzfile_read (tzfile.c:278)
==7754== by 0x40F71D1: tzset_internal (tzset.c:447)
==7754== by 0x40F749E: __tz_convert (tzset.c:632)
==7754== by 0x40F5BDC: localtime (localtime.c:42)
==7754== by 0x8049B94: ??? (in /bin/date)
==7754== by 0x8049885: ??? (in /bin/date)
==7754== by 0x4069A62: (below main) (libc-start.c:287)
==7754==
==7754== Invalid write of size 1
==7754== at 0x40F7DDD: __tzfile_read (tzfile.c:389)
==7754== by 0x40F71D1: tzset_internal (tzset.c:447)
==7754== by 0x40F749E: __tz_convert (tzset.c:632)
==7754== by 0x40F5BDC: localtime (localtime.c:42)
==7754== by 0x8049B94: ??? (in /bin/date)
==7754== by 0x8049885: ??? (in /bin/date)
==7754== by 0x4069A62: (below main) (libc-start.c:287)
==7754== Address 0x41fe817 is 7 bytes after a block of size 0 alloc'd
==7754== at 0x40291CC: malloc (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
==7754== by 0x40F79A1: __tzfile_read (tzfile.c:278)
==7754== by 0x40F71D1: tzset_internal (tzset.c:447)
==7754== by 0x40F749E: __tz_convert (tzset.c:632)
==7754== by 0x40F5BDC: localtime (localtime.c:42)
==7754== by 0x8049B94: ??? (in /bin/date)
==7754== by 0x8049885: ??? (in /bin/date)
==7754== by 0x4069A62: (below main) (libc-start.c:287)
This bug was found using American fuzzy lop:
http://lcamtuf.coredump.cx/afl/
-- System Information:
Debian Release: 8.0
APT prefers unstable
APT policy: (990, 'unstable'), (500, 'experimental')
Architecture: i386 (x86_64)
Foreign Architectures: amd64
Kernel: Linux 3.2.0-4-amd64 (SMP w/2 CPU cores)
Locale: LANG=C, LC_CTYPE=pl_PL.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: sysvinit (via /sbin/init)
Versions of packages libc6:i386 depends on:
ii libgcc1 1:4.9.2-6
Versions of packages libc6:i386 recommends:
ii libc6-i686 2.19-13
--
Jakub Wilk
[crashtz (application/octet-stream, attachment)]
Message #6 received at [email protected] (full text, mbox, reply):
* Jakub Wilk <[email protected]>, 2014-12-10, 12:30:
>$ TZ=$PWD/crashtz date
>*** Error in `date': free(): invalid next size (fast): 0x0916b160 ***
>Aborted
In case you wonder why would anyone want to use a malformed timezone
file, see bugs #772706 and #772707.
--
Jakub Wilk
Message #13 received at [email protected] (full text, mbox, reply):
Hi
This should be addressed with the followign commit:
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=42261ad731
See: http://www.openwall.com/lists/oss-security/2015/04/24/3
Regards,
Salvatore
Message #20 received at [email protected] (full text, mbox, reply):
Version: 2.22-1
On 2015-04-24 20:54, Salvatore Bonaccorso wrote:
> Hi
>
> This should be addressed with the followign commit:
>
> https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=42261ad731
>
> See: http://www.openwall.com/lists/oss-security/2015/04/24/3
This commit is part of glibc 2.22, which is now in sid. I am therefore
closing the bug with this version.
--
Aurelien Jarno GPG: 4096R/1DDD8C9B
[email protected] http://www.aurel32.net
Send a report that this bug log contains spam.
Debian bug tracking system administrator <[email protected]>.
Last modified:
Mon Jun 24 02:10:01 2024;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.